Report: Public Wi-Fi Leaves Smartphone Data Vulnerable

The Guardian reports that in tests conducted by security experts in the UK, sensitive data from smartphones could be readily harvested by way of public Wi-Fi "hotspots" leaving users susceptible to fraud and identity theft.

Researchers were able to gather usernames, passwords and messages even if the targeted user was not in the process of accessing the web simply because the mobile unit was turned on.

The data gleaning was accomplished by establishing bogus Wi-Fi connections that mimicked BT's 2.5 million "Openzone" public Wi-Fi access points.

"This hack is known as 'Evil Twin' and has been known to the industry and others for some years," BT stated.

Many smartphones sold in the UK are set to access the the BT connections automatically, and bogus connections are difficult to identify because they are typically only identified by a name and require no authentication to access.

"We became aware of the potential for criminals to use Wi-Fi in this way last year and have become increasingly concerned. All they need is to set themselves up in a public place with a laptop and a mobile router called 'BTOpenzone' or 'Free Wifi' and unsuspecting members of the public come along and connect to them. Once that happens, there is software out there that enables them to gather usernames and passwords for each site a user signs in to while surfing the net. And once criminals have access to your email accounts, Facebook account, Amazon history and so on, the potential for fraud and identity theft is very serious indeed. Until there are improvements in security, I would advise people to be very wary indeed when using insecure Wi-Fi in public places," said Stuart Hyde, the Association of Chief Police Officers' lead on e-crime prevention.

BT is working with the Wireless Broadband Alliance to establish standardized detailed credentials that will make authentic Openzone Wi-Fi access points more easily identified, but the protocols may not make the fake ones detectable.

At present, the best way to avoid being victimized is to avoid using public Wi-Fi connections as a rule. Security experts advise users disable features that automatically connect to open Wi-Fi connections when in public.

"This is all very alarming. It means that literally millions of people who use Wi-Fi in public could be at risk. If criminals are able to harvest the usernames and passwords of all the websites you visit, they could do significant damage in terms of identity theft and fraud. The safest route for existing users of mobile phones, particularly if they use BT Fon or Openzone, is to switch off their Wi-Fi when they leave home and only use it on systems they know to be secure – such as at home or at work. Everywhere else you use Wi-Fi – whether in a coffee shop, an airport, a railway station and especially out in the street – you are taking a calculated risk," said Peter Sommer, a cyber-security expert at the London School of Economics.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.